Talos Rules 2024-06-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, file-pdf, malware-cnc and os-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)

Modified Rules:


 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)

Modified Rules:


 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)

Modified Rules:


 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)

Modified Rules:


 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)

2024-06-25 14:09:38 UTC

Snort Subscriber Rules Update

Date: 2024-06-25

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63606 <-> ENABLED <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt (malware-cnc.rules)
 * 1:63608 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 1:63607 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download (malware-tools.rules)
 * 3:63612 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63614 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63610 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)
 * 3:63611 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt (file-pdf.rules)
 * 3:63613 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt (os-other.rules)
 * 3:63609 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
 * 1:493 <-> DISABLED <-> APP-DETECT psyBNC access (app-detect.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:560 <-> DISABLED <-> APP-DETECT VNC server response (app-detect.rules)
 * 1:50870 <-> DISABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:566 <-> DISABLED <-> APP-DETECT PCAnywhere server response (app-detect.rules)
 * 1:13360 <-> DISABLED <-> APP-DETECT FTP 530 Login failed response (app-detect.rules)
 * 1:13586 <-> DISABLED <-> APP-DETECT SSH server detected on non-standard port (app-detect.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:15185 <-> DISABLED <-> APP-DETECT Nintendo Wii SSL Server Hello (app-detect.rules)
 * 1:16680 <-> DISABLED <-> APP-DETECT Tandberg VCS SSH default key (app-detect.rules)
 * 1:17110 <-> DISABLED <-> APP-DETECT VxWorks remote debugging agent login attempt (app-detect.rules)
 * 1:18608 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:18609 <-> DISABLED <-> APP-DETECT Dropbox desktop software in use (app-detect.rules)
 * 1:20443 <-> DISABLED <-> APP-DETECT Apple OSX Remote Mouse usage (app-detect.rules)
 * 1:21171 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21172 <-> DISABLED <-> APP-DETECT Thunder p2p application activity detection (app-detect.rules)
 * 1:21332 <-> DISABLED <-> APP-DETECT Synergy network kvm usage detected (app-detect.rules)
 * 1:21853 <-> DISABLED <-> APP-DETECT ptunnel icmp proxy (app-detect.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23617 <-> DISABLED <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt (app-detect.rules)
 * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules)
 * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:30872 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:30875 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net (app-detect.rules)
 * 1:30870 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net (app-detect.rules)
 * 1:26395 <-> DISABLED <-> APP-DETECT Ufasoft bitcoin miner possible data upload (app-detect.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27700 <-> DISABLED <-> APP-DETECT NSTX DNS tunnel outbound connection attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:30874 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:30871 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:30873 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:30195 <-> DISABLED <-> APP-DETECT Paros proxy outbound connection attempt (app-detect.rules)
 * 1:30253 <-> DISABLED <-> APP-DETECT Anyplace proxy header detected (app-detect.rules)
 * 1:30254 <-> DISABLED <-> APP-DETECT Anyplace usage attempt (app-detect.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:30853 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org (app-detect.rules)
 * 1:30854 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com (app-detect.rules)
 * 1:30855 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net (app-detect.rules)
 * 1:30856 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com (app-detect.rules)
 * 1:30857 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com (app-detect.rules)
 * 1:30858 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org (app-detect.rules)
 * 1:30859 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com (app-detect.rules)
 * 1:30860 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com (app-detect.rules)
 * 1:30861 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net (app-detect.rules)
 * 1:30862 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net (app-detect.rules)
 * 1:30863 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org (app-detect.rules)
 * 1:30864 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org (app-detect.rules)
 * 1:30865 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com (app-detect.rules)
 * 1:30866 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org (app-detect.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:30867 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info (app-detect.rules)
 * 1:30868 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com (app-detect.rules)
 * 1:30869 <-> DISABLED <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)

2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:06 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected


2024-06-25 14:13:07 UTC

Snort Subscriber Rules Update

Date: 2024-06-24-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:63606 <-> MALWARE-CNC Win.Malware.ReconShark variant outbound connection attempt
* 1:63607 <-> MALWARE-TOOLS Win.Malware.ReconShark varaint payload download
* 1:63608 <-> MALWARE-TOOLS Win.Malware.ReconShark variant payload download
* 3:63609 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63610 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2002 attack attempt
* 3:63611 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63612 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2003 attack attempt
* 3:63613 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt
* 3:63614 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2010 attack attempt

Modified Rules:

* 1:13360 <-> APP-DETECT FTP 530 Login failed response
* 1:13586 <-> APP-DETECT SSH server detected on non-standard port
* 1:13898 <-> APP-DETECT Apple iTunes client request for server info
* 1:13899 <-> APP-DETECT Apple iTunes client login attempt
* 1:13900 <-> APP-DETECT Apple iTunes server multicast DNS response
* 1:15185 <-> APP-DETECT Nintendo Wii SSL Server Hello
* 1:16680 <-> APP-DETECT Tandberg VCS SSH default key
* 1:17110 <-> APP-DETECT VxWorks remote debugging agent login attempt
* 1:18608 <-> APP-DETECT Dropbox desktop software in use
* 1:18609 <-> APP-DETECT Dropbox desktop software in use
* 1:20443 <-> APP-DETECT Apple OSX Remote Mouse usage
* 1:21171 <-> APP-DETECT Thunder p2p application activity detection
* 1:21172 <-> APP-DETECT Thunder p2p application activity detection
* 1:21332 <-> APP-DETECT Synergy network kvm usage detected
* 1:21853 <-> APP-DETECT ptunnel icmp proxy
* 1:23616 <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested
* 1:23617 <-> APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt
* 1:24094 <-> APP-DETECT Teamviewer control server ping
* 1:24095 <-> APP-DETECT Teamviewer installer download attempt
* 1:25080 <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt
* 1:25081 <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt
* 1:25082 <-> APP-DETECT Apple Messages client side certificate request attempt
* 1:25083 <-> APP-DETECT Apple Messages service server request attempt
* 1:25358 <-> APP-DETECT Acunetix web vulnerability scan attempt
* 1:25359 <-> APP-DETECT Acunetix web vulnerability scanner probe attempt
* 1:25360 <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt
* 1:25361 <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt
* 1:25362 <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt
* 1:25363 <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt
* 1:25364 <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt
* 1:25365 <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt
* 1:25947 <-> APP-DETECT Ammyy remote access tool
* 1:26395 <-> APP-DETECT Ufasoft bitcoin miner possible data upload
* 1:27046 <-> APP-DETECT iodine dns tunneling handshake server ACK
* 1:27536 <-> APP-DETECT TCP over DNS response attempt
* 1:27668 <-> APP-DETECT Heyoka initial outbound connection attempt
* 1:27669 <-> APP-DETECT Heyoka outbound communication attempt
* 1:27700 <-> APP-DETECT NSTX DNS tunnel outbound connection attempt
* 1:27922 <-> APP-DETECT Splashtop outbound connection attempt
* 1:27923 <-> APP-DETECT Splashtop connection negotiation attempt
* 1:27924 <-> APP-DETECT Splashtop Streamer download attempt
* 1:27925 <-> APP-DETECT Splashtop Personal download attempt
* 1:27926 <-> APP-DETECT Splashtop Streamer certificate server connect attempt
* 1:27927 <-> APP-DETECT Splashtop inbound connection negotiation attempt
* 1:27928 <-> APP-DETECT Splashtop connection attempt
* 1:27929 <-> APP-DETECT Splashtop communication attempt
* 1:27930 <-> APP-DETECT DNS request for Splashtop domain splashtop.com
* 1:27931 <-> APP-DETECT DNS request for Splashtop domain splashtop.net
* 1:27932 <-> APP-DETECT DNS request for Splashtop domain devicevm.com
* 1:27933 <-> APP-DETECT Splashtop streamer download attempt
* 1:27934 <-> APP-DETECT Splashtop personal download attempt
* 1:28068 <-> APP-DETECT 360.cn Safeguard runtime outbound communication
* 1:28069 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn
* 1:28070 <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com
* 1:28071 <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt
* 1:28245 <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt
* 1:28246 <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response
* 1:29320 <-> APP-DETECT Baidu IME download attempt
* 1:29321 <-> APP-DETECT Baidu IME download attempt
* 1:29322 <-> APP-DETECT Baidu IME runtime detection - remote sync
* 1:29354 <-> APP-DETECT Foca file scanning attempt
* 1:29381 <-> APP-DETECT VPN Over DNS outbound traffic attempt
* 1:29382 <-> APP-DETECT VPN Over DNS application download attempt
* 1:29383 <-> APP-DETECT VPN Over DNS application download attempt
* 1:30195 <-> APP-DETECT Paros proxy outbound connection attempt
* 1:30253 <-> APP-DETECT Anyplace proxy header detected
* 1:30254 <-> APP-DETECT Anyplace usage attempt
* 1:30853 <-> APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org
* 1:30854 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com
* 1:30855 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net
* 1:30856 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com
* 1:30857 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com
* 1:30858 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org
* 1:30859 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com
* 1:30860 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com
* 1:30861 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net
* 1:30862 <-> APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net
* 1:30863 <-> APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org
* 1:30864 <-> APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org
* 1:30865 <-> APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com
* 1:30866 <-> APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org
* 1:30867 <-> APP-DETECT DNS request for known bitcoin domain seed.dogechain.info
* 1:30868 <-> APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com
* 1:30869 <-> APP-DETECT DNS request for known bitcoin domain seed.mophides.com
* 1:30870 <-> APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net
* 1:30871 <-> APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info
* 1:30872 <-> APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org
* 1:30873 <-> APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org
* 1:30874 <-> APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org
* 1:30875 <-> APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net
* 1:31532 <-> APP-DETECT Xolominer outbound connection attempt
* 1:32864 <-> APP-DETECT I2P NetBIOS name resolution request attempt
* 1:32865 <-> APP-DETECT I2P DNS request attempt
* 1:32866 <-> APP-DETECT I2P UPNP query attempt
* 1:33430 <-> APP-DETECT I2P traffic transmission attempt
* 1:34463 <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt
* 1:34496 <-> APP-DETECT Your-Freedom DNS tunneling query attempt
* 1:34497 <-> APP-DETECT Your-Freedom DNS tunneling query response attempt
* 1:37062 <-> APP-DETECT 12P DNS request attempt
* 1:37298 <-> APP-DETECT Hola VPN installation attempt
* 1:37299 <-> APP-DETECT Hola VPN installation attempt
* 1:37300 <-> APP-DETECT Hola VPN startup attempt
* 1:37301 <-> APP-DETECT Hola VPN startup attempt
* 1:37302 <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt
* 1:37303 <-> APP-DETECT Hola VPN X-Hola-Version header attempt
* 1:37304 <-> APP-DETECT Hola VPN non-http port ping
* 1:37305 <-> APP-DETECT Hola VPN tunnel keep alive
* 1:37306 <-> APP-DETECT Hola VPN startup attempt
* 1:37354 <-> APP-DETECT Jenkins Groovy script access through script console attempt
* 1:38594 <-> APP-DETECT Bloomberg web crawler outbound connection
* 1:40335 <-> APP-DETECT OpenVAS Scanner User-Agent attempt
* 1:42492 <-> APP-DETECT Intel AMT DHCP boot request detected
* 1:43565 <-> APP-DETECT HTTPTunnel proxy outbound connection detected
* 1:50870 <-> APP-DETECT Quagga password challenge detected